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Abstract. The first efficient general primality proving method was proposed 
in the year 1980 by Adleman, Pomerance and Rumely and it used Jacobi 
sums. The method was further developed by H. W. Lenstra Jr. and more of 
his students and the resulting primality proving algorithms are often referred to 
under the generic name of Cyclotomy Primality Proving (CPP). In the present 
paper we give an overview of the theoretical background and implementation 
specifics of CPP, such as we understand them in the year 2007. 
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1. Introduction 

Let n be an integer about which one wishes a decision, whether it is prime or 
not. The decision may be taken by starting from the definition, thus performing 
trial division by integers < \fn or is using some related sieve method, when the 
decision on a larger set of integers is expected. The method is slow for relatively 
small integers, but may be acceptable in certain contexts. Primality proving be- 
comes a discipline after the realization that rather than the definition, one may 
test some property or consequence of n being prime, and this can often be done by 
significantly faster algorithms - basically descending from the exponential to poly- 
nomial asymptotic behavior. This way one easily eliminates composites which do 
not verify the particular property of primes that is tested. The simplest property 
considered in this context is certainly Fermat's small theorem : a™ -1 = 1 mod n for 
any (a, n) = 1, if n is a prime. Since modular exponentiation is done in polynomial 
time in log(n), such a compositeness test is polynomial. 

The disadvantage of the above approach is that there are composites which verify 
the same property; such composites are called Fermat - pseudoprimes base a and 
there is literature dedicated to these and related pseudoprimes. Stronger statements 
are obtained when one has sufficient information about the factorization of n — 1 . 
For instance, if there is a prime q\(n — 1) and q > \/n, while {a^ n ~ 1 ^ q — l,n) = 1 
and a™ -1 = 1 mod n, then one easily proves that n is prime. Indeed, if p\n is a 
nontrivial prime factor with p < \fn - such a prime always exists, if n is composite 

- then one considers a = a*-™ -1 ^ 9 mod p € F p . By hypothesis, 1 and a q = 1; 
but then a € F* is an element of order q and since | F* | = p — 1, one should have 
q\{p— 1) < \fn, which contradicts the choice of q. The idea can be refined: q may be 
replaced by an integer F\(n — 1), F > y/n which has a known factorization. Based 
on this factorization and an easy variation of the above argument, one obtains 
a more general primality test. Note that in these cases a proof of primality (or 
compositeness) comes along with the result of the algorithm. Tests of this kind 
can be designed also for small extensions ¥ p k D F p , with astute translations of the 
arithmetic in these extensions, in the case when F p is replaced by Z/(n • Z) and 
extensions of this ring are used. A general limitation remains the necessity to know 
some large factored divisors s\(n k — 1). Tests of this kind are denoted in general by 
the name of Lucas - Lehmer tests. 

The idea of Adleman et. al. in p] was to bypass the above mentioned restriction, 
by choosing k so large, that an integer s > y/n and which splits completely in small 

- albeit, not polynomial - prime factors is granted to exist by analytic number 
theory. The algebraic part consists in a modification of the Lucas - Lehmer setting, 
which allows more efficient testing. In the original version of pQ, the connection to 
classical test was hard to recognize. This connection was brought to light by H. W. 
Lenstra Jr. in his presentation of the result of Adleman, Pomerance and Rumely 
at the Bourbaki Seminar [18] . 

Let us consider again the Lucas - Lehmer test described above, where q\(n— 1) is 
a prime with q > y/n. One can assert that this test constructs a primitive q—th. root 
of unity modulo n, in the sense that & q (ct) = mod n with a = a^™ -1 )/ 9 rem n 
and <fr q (X) the q—th cyclotomic polynomial. It is an important remark, that once 
a was calculated, it suffices to verify $ 9 (a) = mod n, and this verification is 
shorter than the original computation. If q is a proved prime, the verification will 
yield a proof of primality for n, which can be quickly verified. This is the core 



CYCLOTOMY PRIMALITY PROOFS AND THEIR CERTIFICATES 



3 



idea for prime certification: gathering some information during the process of an 
initial primality proof, which can be used for a quicker a posteriori verification of 
the proof. Pratt developed this idea in the context of Lucas - Lehmer tests . 

When replacing, q by some large factored integer s and searching for s— th roots 
of unity a in some extension A D Z/(n-Z), that such roots are zeroes of polynomials 
over Z/(n • Z) and this fact yields a common frame for understanding the APR - 
test and generalized Lucas - Lehmer tests. We present here a slight modification 
of Lenstra's Theorem 8 in [18j . which is seminal to the approach we take in this 
paper: 

Theorem 1. Let n > 2 be an integer and A D Z/(n • Z) a commutative ring 
extension, s > 1, t = ord s (n) and a £ A x . If the following properties hold 

(i) $,(a) = 0, 

(ii) *(X) = n-=l (X-a"') GZ/(n-Z)(X), 
then either n is prime or any divisor r\n verifies: 

(1) r G {n l rem s : i = 1, 2, . . . ,t = ord s (n)}. 

Proof. Suppose that n is not prime and r\n is a prime divisor. Then there is a 
maximal ideal £H D r ■ A which contains r and K = A/91 is a finite field while 
a = (q mod 9t) G K verifies $ s (a) =0. If u = ord s (r), then a r —a and by galois 
theory in finite fields, the minimal polynomial of a is 

u 

f(X) = U (x-a r *) GF r [X]. 

i=l 

On the other hand, the polynomial 

t 

= mod 9t = Yl (x- G W r [X] 

i=l 

has 2 as zero. By the minimality of f(X), it follows that f(X)\*f?(X) and since 
F r [X] has unique factorization, a r must be a common zero of f(X) and ^(X). In 
particular, there is an exponent j such that a r — a 71 ' and thus a" 3_r = 1. But by 
(i), a is a primitive s— th root of unity, and thus we must have n J — r = mod s or 
r G< n mod s >. This holds for all the prime divisors of n and the more general 
statement ([1]) follows by multiplicativity. □ 

This Theorem allows a fundamental generalization of the Lucas - Lehmer tests: 
let n be an integer and suppose that an s— th root of unity in the sense of (i) is 
found in some ring A D Z/(n • Z) and furthermore (ii) holds. If s > i/n, then, 
pending upon a test of the fact that all the residues 

n = n l rem s, i = 1, 2, . . . , t 

are coprime to n, one has a primality proof for n. Indeed, if n were composite, 
then at least one of its prime factors p < -y/n < s. But then, the Theorem implies 
that p G {fj : i = 1, 2, . . . , t}, which is verified to be false. One should note that 
prior to Lenstra's work, Lucas - Lehmer tests in ring extensions of degree k were 
lacking a transparent criterion for the choice of the size of the completely factored 
part s\(n k — 1) required; in particular, the required factored part was often larger 
than yfn even for small values of k; it was also not possible to combine informations 
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from tests for different values of k [33] , [25] . The Theorem Q] solves both questions 
elegantly. 

As we have shown in [23], the Theorem[T]not only generalizes the notion of Lucas 
- Lehmer tests and builds a bridge to combining them with the test of Adleman, 
Pomerance and Rumely, it also indicates a way for a new comprehension of that 
algorithm. It has become custom to denote the test described in p] in all its updated 
variants by Jacobi sum test, while Cyclotomy Primality Proving - or CPP - is a 
word used to cover all variants of tests related to Theorem[T] These may be in Jacobi 
sum tests, Generalized Lucas Lehmer, combinations thereof or also deterministic 
variants: we shall indeed see below, that the Jacobi sums test has a probabilistic 
Las Vegas version, which is mostly the version used in implementations, and a 
computationally more complicated deterministic version. The ideas of CPP were 
improved by Lenstra et. al. in [20], [19], [12], [10], [23], [24],; their constructive base 
can be described as building a frame, in which a factor ty(X)\$ s (X) mod n can be 
constructed for some large s and such that, if n is prime, the factor is irreducible. 
The computations are performed in Frobenius rings extending Z/(n • Z), which 
become fields over Z/(n • Z) if n is prime. 

The algorithms of CPP are de facto fast, competitive primality proving algo- 
rithms, but they have the complexity theoretical intolerable feature of a provable 
superpolynomial run - time 



which is the expected value for the size of t in ([T]). An practical alternative for 
proving primality on computers is the random polynomial test using the group of 
points of an elliptic curve over finite fields, originally invented by Goldwasser and 
Kilian [13] , The test was made practical by a contribution of A. O. L. Atkin [5] 
and has been implemented at the same time by F. Morain, who maintained and 
improved [25J a program ECPP [27] since more than a decade. 

The purpose of this paper is to give a compact presentation of the theoretical 
background of the CPP algorithms and an overview of the basic variants. We 
also present a new method for computing certificates of a CPP proof. In the 
description of algorithms, we follow a ballance between efficiency and clarity. 

In section two we define the galois, Frobenius and cyclotomic extensions of rings. 
The last are the algebraic structures in which the various tests are performed. Based 
on this, we then describe an algorithm for taking roots in cyclotomic ring extensions, 
which is due to Huang in the field case. Section three gives an overview of Gauss and 
Jacobi sums over galois rings. We then show the connection to the construction of 
cyclotomic fields by cyclic field extensions and show that this mechanism is in fact 
the core idea of the Jacobi sum test. In section four we give some computational 
criteria which connect this test to the existence and construction of cyclotomic 
extensions. In section five we introduce the new certification methods and the 
probabilistic algorithms of CPP are defined in section 6. Finally, in section seven 
we present the deterministic version of CPP, and show how it could be understood 
and implemented as a subcase of the general CPP test and section 8 contains 
observations on the run time and the results from analytic number theory on which 
the analysis is based. 

The ideas of this paper are updated from the thesis |23] and many can be found 
already in the joint thesis of Bosma and van der Hulst [TO] and the seminal papers 
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of Lenstra. Our perspective of placing Theorem Q] at the center of CPP may be 
considered as the more personal contribution of this paper. Based on the common 
structure of Lucas - Lehmer and Jacobi sum tests, such as reflected by Theorem [TJ 
we deduce by analogy to the Pratt certificates for Lucas - Lehmer tests over Z/(n-Z) 
a certification method for CPP; such a method was not known or predicted to exist 
previously. The same frame yields also a simple understanding of (a generalized 
form of) the Berrizbeitia variant pjj of the celebrated polynomial time deterministic 
test of Agrawal, Kayal and Saxena [3J; this is presented in [5] and, independently, 
by Bernstein in [5]. 

Finally, the notion of cyclotomic extension of rings can be extended to elliptic 
extensions of rings - closely connected to the Schoof-Elkies- Atkins algorithm for 
counting points on elliptic curves over finite fields. Together with the use of dual 
elliptic primes, some relatives of twin primes in imaginary quadratic extensions of 
Q, this leads to a new and very efficient combination of CPP and ECPP (elliptic 
curve primality proving) algorithms, which is presented in [26] . The present paper 
is herewith both an overview of the recent developments in CPP and a foundation 
for the description of new results. 

1.1. Some notations. Throughout this paper we let n > 1 be an integer - which 
can be thought of as a prime candidate. We shall be interested in the ring Z/(n ■ Z) 
and its extensions and introduce for simplicity the notation M = Z/(n • Z). For 
integers s > we let $ S (X) £ Z[X] be the s— th cyclotomic polynomial. We shall 
encounter roots of unity in various rings. For complex roots of unity, we shall write 
( s cC when = 0; it will be made clear in the context, when a certain complex 

s— th root of unity is fixed. If G is a finite group and x £ G then < x > will denote 
the cyclic group generated by x; e.g. < n mod s > is the cycle of n £ Z/(s • Z). We 
may at times write log^^x) for the k - fold iterated logarithm of x. Along with n, 
we shall often use two parameters s, t in N such that t = ord s (n) or s is squarefree 
and t — A(s) = 1cm q \ s (q — 1), the product being taken over primes q. In both 
cases, we consider the following sets related to these parameters: 

Q = { q\s : q prime } and 

(3) V = { p= {p k , q) £ N 2 : p k \\{q - 1), q £ Q and p is prime } . 

For p = (p k ,q) £ V, we may use notations like p = p(p),k = k(p),etc, with the 
obvious signification. 

2. Galois extensions of rings and cyclotomy 

Let A be a finite commutative ring and a £ ft D A an element which is annihi- 
lated by some polynomial from A [A]. Suppose that the powers of a generate a free 
module R = A [a]; such modules shall be denoted by simple extensions of A. Al- 
ternately, quotient rings of the type R = A[X]/(f(X)), where f(X) e A[X] shall 
also be called simple extensions. It can be verified that the two types of extensions 
are equivalent. 

There is an ideal I C Z with I A = 0; the positive generator n of the annihilator 
I is the characteristic of the ring A. We are interested in galois properties of 
extensions of finite rings. These have been considered systematically for primality 
by Lenstra in [18] , [20] . The approach we take here is slightly different and closer 
to actual computational aspects; the central concept of cyclotomic extensions of 
rings end up to be identical to the one of Lenstra. 
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Definition 1. Let A be a finite ring of characteristic n and: 

1. Suppose that there is a galois extension of number fields L = K.[X]/ (f(X)) 
with f(X)£ 0(K)[X], and an ideal ncO(K) such that A = C(K)/n. 

2. Leti = X + (f(X)) e L, f(X) = f(X) mod n G A[X] and 

R = 0(L)/(n-0(L)) = A[X]/(f(X)) = A[p], with 
p = £ mod (nO(L)) = X + (f(X)). 

3. Let G — Gal()L/K) and for a E G, define a : p (a((,) mod (nO(L))) and 
G = {5:aeG}, 

4. Suppose that the degree d = degf, the discriminant disc(/) and the char- 
acteristic are coprime: 

(4) (n,disc(/)-deg(/) ) = 1 

// these conditions are fulfilled, then the ring extension R is called a galois ex- 
tension of A with group G. Conversely, an extension R/A is galois, if there is 
a galois extension of number fields L/K from which R arises according to 1.-3. 

Remark 1. The definition of the galois extension depends in general on the choice 
of (K, L, n) - we may in fact identify R to this triple, and unicity of the lift to 
characteristic zero is not a concern. In fact, considering the case when n is a prime 
and R = ¥ n a is a finite field, it is obvious that the algebra R has multiple lifts. We 
shall in fact use this observation and define also when n is not known to be prime, 
some algebras R in a simple way, and then construct by operations in R additional 
polynomials that split in R, leading thus to additional lifts to characteristic zero. 

The condition is quite artificial, but harmless in the context of primality 
testing, where one can think of A as N or a simple extension thereof: if 4- fails, 
one has a non trivial factor of n. 

The main property of a galois extension is of course the fact that the base ring 
is fixed by the galois group: 

Fact 1. Let R D A be a galois extension of the finite ring A, let L = M,[X]/ (f(X)) 
be the associated extension of number fields and G = Ga^L/K) the galois group. 
Let p — X + f(X) G R and suppose that a G R is G - invariant. Then a G A. 

Proof. Since R = 7r(C(L)) - where tt is the reduction modulo n • C(L) map - is a 
free A - module, we can write a = X^o-eG 0,0 ' &(p) ^ ^ with a a G A. If a is G - 
invariant and d — \G\ G A*, we have 

d ■ a = t{ol) — a„ ■ T r o~a(p) == A ■ 8, 

cr,r£G <T,reG 

with A = J2aea a ° e A and 9 = J2*eG d (p) = * (E CTeG CT (0) = t (Ttl/k£) € A. 
It follows that a = (A ■ ft) ■ d _1 G A, which completes the proof. □ 

Here are some examples of galois extensions: 

Examples 1. 

(a) Let A =M, and s > such that (n,s-cp(s)) = 1. If f{X) = $ S (X),K= Q 
and L = Q(£ s ), then R = Z[^ s ]/(nZ[^ ;j ]) is a galois extension with group 
G- (Z/s-Z)*. 
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(b) If n is a prime and s,K, L,R are like in the previous example, let H C 
(Z/s • Z) be the decomposition group of n in L wif/i i = cmd suppose 
that (n,s ■ t) = 1. Let Ki = L ff and n G O(Ki) an idea? above n. Then 
C(Ki)/n = F„ and there is a polynomial f{X) — Y\ TeH (X — t(£ s )) such 
that r = A\X]/(f{X)) c R is a galois extension. Of course, r = F n * is 
even a field. 

The construction holds for any subgroup K with H C K C G = Ga/(L/K) 7 
yielding a filtration of galois extensions. If K = G/H, then for any 
prime ideal with n 6 0t C Z[£ s ], the group K acts transitively on 0t and 
(n) = Yii/eK v (^)- Furthermore, Z[£ s ]/ (y (01)) = F p t. There is a canoni- 
cal decomposition: 

(5) R = Z[£]/(nZ[&]) S J] Z[C.]/ (!/(««))= [] V 

If p — mod 01 £ F p t is fixed, then the image of £ s in the Chinese 
Remainder decomposition of R above is £ s mod (n) = (^p,p k , . . . , p kS ^ , 
where < k mod n >= K and p k = C mod ov" 1 (01), wi/i obvious meaning of 

(c) Let£(a,b) : = X +aX+6 fee t/ie equation of an elliptic curve over some 
field K and suppose that there is an ideal n G O(K) suc/i £/iai C(K)/n = TV. 
Let £ be a prime and tj)i{X) G 0(K)[X] be the I— th division polynomial of 

£(a, b), its reduction being ipi(X) G 7V[X]. TTien R = Af[X]/ (^>f(X)j is a 
galois extension. 

The definition of galois extensions is quite general and is not specifically bound 
to the expectation that n might be a prime. We specialize below galois extensions 
to Frobenius extensions, which are related to finite fields. 

Definition 2. Let A be a finite commutative ring of characteristic n and ^(X) G 
A[X] a monic polynomial. We say that the simple ring extension R = A[X]/(^(X)) 
is: 

F. a Frobenius extension, if^(X n ) = mod *f?(X) and 
(Fl.) There is a set S — {xi, x-i, ■ ■ . , x m } C R which generates R as a free 

A - module and such that ^(x^) = 0. 
(F2.) There is a group G C Autj^ (R) which fixes S and such g = \G\ G A*. 
(F3.) The traces of S are TV(xi) = ^2 aeG o~(xi) G A. 
SF. a simple Frobenius extension, if it is Frobenius and there is at > such 
that 

t 

*W =11 ( X -C) , where ( = X + G R. 

Remark 2. The example (c) is a galois extension which is in general not Frobenius. 
The other two examples are Frobenius at the same time and the first extension in 
(b) is simple Frobenius. The property F3. implies that A is exactly the ring fixed 
by G, the proof being similar to the one of Fact [7J 

The situation in (b) is crucial for CPP. In fact, in the algorithms we shall 
investigate integers n that lead to the decomposition ^ of the ring Z[C s ]/(nZ[C]) 
and show that for such integers the Theorem [7] can be applied. 
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Next we clarify the notion of primitive root of unity, which has some ambiguity 
when considering roots of unity over rings. The question is illustrated by the simple 
example: is a = 4 mod 15 a primitive second root of unity modulo 15 ? One verifies 
that a G (Z/15 ■ Z)* and a ^ 1 while a 2 = 1. However, a - 1 £ (Z/15 • Z)*. We 
shall avoid such occurrences and define 

Definition 3. Let A be a commutative ring with 1 and s > 1 an integer, while 
<5> S (X) G 7L\X\ is the s— th cyclotomic polynomial, <& S (X) G A[X] its image over 
A. We say that £ G A is a primitive s— th root of unity iff & S (C) = 0- 

We leave it as an exercise to the reader to verify that, if A is finite, then ( 6 A 
is an s— th primitive root of unity if and only if for all maximal ideals 21 C A, the 
root of unity £a = (£ mod 21) € K = A/21 is a primitive s— th root of unity in the 
field K. In particular, ( - 1 e A x . Note that ( s mod (nZ[£ s ]) in example (b) is a 
primitive root of unity. 

The next step towards the goal of Remark [5] consists in defining the cyclotomic 
extensions of rings, which are simple Frobenius extensions generated by primitive 
roots of unity. 

Definition 4. Let n, s and Af be as above and Q D Af some ring with £ G £1, a 
primitive s— th root of unity. We say that 

R = Af[(] 

is an s— th cyclotomic extension of the ring Af, if the extension R/Af is simple 
Frobenius. In particular, R/Af has the galois group G =< a > generated by the 
automorphism with <j(C) = C" an( ^ | C | = t = ord s (n). 

We say that s is the order and t is the degree of the extension R. Sometimes 
we shall denote the extension also by the triple (R, £, a). 

Like for finite fields, a galois extension R D Af can be an m— th cyclotomic 
extension of Af for various values of m. We shall in fact often start with galois 
extensions R of degree d over Af and then seek m— th primitive roots of unity in 
R, for various values m\(n d — 1) and then prove that these roots together with 
the galois group generate an m— th cyclotomic extension. The procedure will be 
illustrated below, in the results on the Lucas - Lehmer test. 

It is also natural to consider subextensions of cyclotomic extensions, i.e. rings of 
the kind 

t/u 

t = Af[j]} , with n - ° ul (0 e R > 

i=l 

where u\t. Such subextensions are galois (even abelian). They have been considered 
recently by Lenstra and Pomerance in their version of the AKS algorithm [21] ; the 
term of pseudo - fields was coined in that context. 

Remark 3. Let (R, (, a) be some s— th cyclotomic extension of Af , with R = Af[Q 
and t = [R : Af] . Suppose that there is an integer u > 1, and (3 G R with < I > tl (/3) = 
and such that S = Af[f3] is an u— th cyclotomic extension with automorphism group 
induced by the restriction of a to S. We shall say in such a case, by abuse of 
language, that (R, (3, a) is a u— th cyclotomic extension. 

Cyclotomic extensions do not exist for any pair (n, s) and their existence is a 
(sporadic) property of the number n with respect to s; this fact is used for primality 
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testing. The following theorem groups a list of equivalent properties of cyclotomic 
extensions, relating them to Theorem [1] and providing a useful base for algorithmic 
applications. 

Theorem 2. Let s,n> 1 be coprime integers, t — ord s (n) be also coprime to n, 
and fix £ s G C. Let A be the ring of integers in L„ = Q[£ s ] <n mod s> and consider 
the polynomial ^q(x) — Y\i=i ( x ~ £™ ) ^ A fx]. The following statements are 
equivalent: 

(I) An s—th cyclotomic extension of M exists. 
(II) r\n r € < n mod s >. 

(III) There is a surjective ring homomorphism tq : A — * J\f. 

(IV) There is a polynomial ty(x) — t (\&o) G Af[x] of degree t with: 

(i) Hf(x)\Q.(x) 

(ii) ifC = x + (^{x)) €Af[x]/(y(x)), then *(("') = 0, for i = 1, 2, . . . , t. 

Proof. Suppose that (I) holds and let = IlLi ( x - ^(0) € Af[X]. The 

argument used in the proof of Theorem [T] shows that (I) => (J J) . 

Assume that (77) is verified, r|n be some prime factor and let p G F r be a 
primitive s—th root of unity. If 91 C L r = Q(£ s ) <r mod s> is some prime ideal 
above r, then 0(h r ) mod = F r as follows from the example (c) and relation 
(JI}. But since r G< n mod s > it follows that A c 0(h r ) and there is a fortiori 
a surjective map r r : A — > F r . By Hensel's Lemma and the Chinese Remainder 
Theorem, this map can then be extended to a map To : A — > TV, so (II) =>■ (HI). 

Assume (III) holds and let r\n be a prime. Then to extends by composition 
with the reduction modulo r to a map r r : A — > ¥ r . In particular ty r (X) — 
T r (^o(X)) G ¥ r [X] is a polynomial such that ^ r (X)\^ s (X) and * r (C") = if 
^r(C) — 0- Using again Hensel's Lemma and the Chinese Remainder Theorem, a 
polynomial fy(X) G M(X) with the same properties can be constructed and thus 
(III) (IV) 

Finally, if V(x) G Af[x] has property (IV), let R = J\f[x]/(^(x)) and C = 
x + (^b(x))] it follows from (i) that £ is a primitive s—th root of unity. We have 
to show that a : £ <— > £™ is an automorphism of R. By construction, a permutes 
the zeroes of ^, so G =< a > acts transitively on S = {C> C™ }• This 

shows that R is cyclic Frobenius, and since ^>(X)\^ S (X), it is an s—th cyclotomic 
extension of J\f, so (IV) =>•(/). □ 

Remark 4. /£ follows from (III), that the extension R/W is galois in the sense 
of the Definition]]^ and this confirms the fact that its subextensions are galois too. 

The relation (ii) is an elementary verifiable condition for the existence of cyclo- 
tomic extensions. If A(s) = 1cm r q — p e\\\ n ((p(q)) is the Carmichael function, while 
if is Euler's totient function, then (Z/s • Z)* contains zu(s) — disjoint cyclic 
subgroups. The larger w(s), the more improbable it becomes to find integers n for 
which (ii) is verified. This is the core idea of the CPP tests. 

The following simple fact has some important implications about the size of 
cyclotomic extensions. 

Fact 2. Let p be a prime, n G N>i, (n,p) = 1 and v p (x), x G Z denote the p - adic 
valuation. If p is odd, t — ovd p (n) and v — Vp(n l — I), then the order 

ordpm (n) = t ■ p u with u = max(0, m — v). 
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For p — 2 we distinguish the following cases: 

1. If n = I mod 4 and v = V2{n — I), then 

ord2>" (n) = 2 U with u = max(0, m — v), 

2. If n = 3 mod 4 and v = V2{n + I), then 

ord 2 ™ (n 2 ) = 2 U+1 with u — max(0, m — v). 

Proof. The proof is left as an exercise to the reader, see also [51] . Chapter II, §3. □ 

The remarkable phenomenon above consists in the fact that the order ord p ™ (n) 
starts from an initial value t = ord p (n) which is constant for m < v p (n l — 1) and 
then increases by factors p, when m grows. The only exception is the case p = 2 
and n = 3 mod 4, when one has to consider m < v^(n 2 — 1) as starting value. This 
leads to the following 

Definition 5. Let n be an integer and p a prime with (p, n) = 1. We define the 
saturation index of n with respect to p by: 

!V2{n 2 — 1) if p = 2 and n = 3 mod 4, 
Vp(n f — 1) with t = ordp(rt) otherwise. 

If (R, (J, C) is ap k —th cyclotomic extension of M and k > k n (p), then the extension 
is saturated . In general, if(s,n) — 1 and (R, <r, £) is an s— th cyclotomic extension 
of M , we say that the extension is saturated, if p\s p kn ^\s. 

For oddp or p — 2 and n = 1 mod 4, we s/iaH denote by saturated p—th extension 
of N a galois extension with [R : J\f] — d, (d, p) = 1 or d — 2, if p — 2 and 
n = 3 mod 4, and which is a q— th cyclotomic extension of M , with q = p kn ( p ' . 

Note that the term saturated p h — th extension, implicitly asserts the fact that h > 
k s {jp); the definition of a saturated p—th cyclotomic extension is an exception, since 
it denotes an extension which not only contains a p—th root but also a p fc ™(p)— th 
primitive root of unity. It can happen that a p—th cyclotomic of J\f exists, but not 
a saturated one, as illustrated by: 

Example 1. Let n = 91 = 7 • 13. TTien (77) implies that a third cyclotomic 
extension of n exists, since r S < n mod 3 > for all r\n. However, according to 
(II) of Theorem^ this extension is not saturated, since n — 1 mod 9 yet r = 7\n 
and r ^ ( < n mod 9 > = < 1 > ) . 

The saturated extensions are characterized by the following property: 

Theorem 3. // (R, a, £) is a saturated p k :a — th extension and h > k s then ap h — th 
extension of J\f exists. 

Proof. Consider h > k s , R(h) = R[x]/(x pi s> — and let ((h) be the image of 
x in R(/i). It is easy to establish by comparing ranks, that (R(h),a(h),((h)) is a 
p h — th cyclotomic extension - where cr(h) is the extension of a to R(/i). □ 

Theorem [3] motivates the denomination of "saturated" : the existence of a satu- 
rated p—th extension implies existence of cyclotomic extensions of degree equal to 
any power of p. The Example [T] shows that the existence of a saturated extension is 
also necessary for this. We shall use for commodity, the term of complete extension 
for the union of all saturated extensions of orders p : 
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Definition 6. Suppose that a saturated p k —th extension (R, cr, £) of Af exists and 
let: 

OO 

(7) (Roo(p),^oo(p),C«,(p)) = U (RW,«Kfc),CW). 

Roo lis called complete p— th extension and its existence is granted by the premises 
and the preceding theorem. 

The proving of existence of cyclotomic extensions focuses herewith on proving 
existence of saturated extensions. The existence of saturated extensions has also 
implications for the properties of primes r dividing n [12] : 

Lemma 1 (Cohen and Lenstra, [12]). Suppose that p is a prime with {p,n) = 1, 
for which a saturated p— th cyclotomic extensions of Af exists. Then for any r\n 
there is ap-adic integer l p {r) and, for p > 2, a number u p (r) G Z/((p— 1)-Z), such 
that: 

r = n Up ^ mod p and 

(8) rP- 1 = {nP' 1 ) 1 ^ G {l+p-Z p } if p>2, 

r = ri> (r) e {l + 2-Z 2 } if p= 2. 

Proof. Using Theorem [3j the hypothesis implies that r G < n mod p k > for all 
k > 1 which implies (J8j) - D 

2.1. Finding Roots in Cyclotomic Extensions. Consider the following prob- 
lem: given a finite field ¥ q = ¥ p [a] with q — p k a prime power and r a prime with 
v r (q — 1) = a, and given x G F 9 with a;*- 9_1 ^ r = 1, find a solution of the equation 
y r = x in F g . The problem has an efficient polynomial time solution, if a r a — th 
root of unity p G F g is known and the algorithm was described by Huang in [14[|15j . 

We shall treat here the generalization of the problem to cyclotomic extensions 
of rings. The basic idea is the same and it is well illustrated by the case r = 2 and 
q = p = 5 mod 8. In this case we let u — x^^ 1 ^ 4 = ±1, since u 2 — j^p -1 )/ 2 = 1 
by hypothesis. But e = (p — l)/4 is odd and thus / = (e + 1)/2 is an integer, while 
x 2 f = u ■ x. If p 2 = u = ±1 for p G F p , then a solution of y 2 — x is given by 
y = p^ 1 ■ x' . Thus, knowing a 4— th root of unity, one can find square roots in F p . 
The general case is described in the following: 

Theorem 4. Let p be a prime with (p, n) = 1 and (R, cr, £) a saturated p-th cyclo- 
tomic extension of M ; let a G R and I < k p (n) be such that 

(9) a N 'P l = 1 

is satisfied. Then there is a polynomial deterministic algorithm for finding a root 
(3 G R of the equation x p = a. 

Proof. Let 

t = ft < a >= [R: M], N = n t -1, k = v p {N), 

and let u be given by N — u ■ p k , so that (u,p) — 1 and k — k n (p). Since R is 
saturated, Q G R is a p k — th root of unity. If a is a p l — th power in R, then 

(10) a v = C P \ with v G Z/(p*-' • Z). 
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Note that v mod p l can be successively computed for i = 1, 2, . . . , k — I by compar- 
ing a u ' p to powers of . Given v, one can define a solution to x p = a in 
the following way. Let v! be such that u ■ u' = — 1 mod p fc and e — (1 + u • u')/p l . 
Then /3 = a e ■ £~" v is such that f3 p — a, which follows from a straightforward 
computation. □ 

2.2. Finding Roots of Unity and the Lucas — Lehmer Test. The algorithm 
described above assumes that a saturated root of unity is known in a galois extension 
of appropriate degree. This can be found naturally by trial and error. Suppose that 
one wants to construct a saturated p—th cyclotomic extension and t = ord p (n). The 
bootstrapping problem that one faces, consists in finding first a galois extension 
R/AA of degree i; if such an extension is provided, one seeks a p— th power non 
residue, like one would do if R was a field. 

Let us recall some facts and usual notations about cyclotomic fields (see also |32j). 
The s— th cyclotomic field is L s = <Q(Cs) = Q[X]/($ S (X)), an abelian extension of 
degree tp(s) with ring of integers 0(L S ) = Z[£ a ] and galois group 

G s = Gal(L s /Q) = {a a : ( s ~ C where (a, s) = 1} S (Z/s • Z)* . 

It is noted in 20J that in fact <j = ^ Ls /^ j is in this case the Artin symbol of 
a. We shall adopt the notation of Washington, introduced above. The Theorem of 
Kronecker - Weber states that all abelian extensions of Q are subfields of cyclotomic 
extensions and if K/Q is an abelian field, then its conductor is by definition the 
smallest integer s such that K C L s , with L s the s— th cyclotomic extension. 
The next fact shows where to look for galois extensions of TV. 

Fact 3. Let n > 2 be an integer and K/Q be an abelian extension of conductor s 
such that (s,n) = 1 and Gal(K/Q) =< n mod s >, t = ord s (n) = [K : Q]. Then 
there are LUi G 0(K), i = 1,2, ... ,t such that 

(11) 0(K) = Z[wi, u> 2 , ■ ■ ■ ,w t ] and R = jVpi, Q 2 , . . . , Q t ]> 

where = Wj mod nO(K). 

T/ie rm<7 R = O(K)/ (n ■ O(K)) is a galois extension ofJV if and only if the ring 
O(K) has a normal Z - base. 

If t = p k is a prime power, this happens in the following cases: 

(i) s is prime and p k || (s — 1). 

(ii) p is odd and s = p k+1 . 

(iii) p = 2, k>2 and s = 2 k+2 . 

(iv) p — 2 and k = 1. 

Proof. The ring O(K) is a free Z - module of rank £ and discriminant which divides 
s N for some integer N > 1, see e.g. [30.. With this, the assertions become simple 
verifications based upon the definition of K and the one of a galois extension. The 
assumption that t = p k can be dropped, by using the linear independence of Sj— th 
cyclotomic extensions (i — 1,2) when (si,S2) = 1. □ 

The following Theorem is useful for constructing roots of unity and the associated 
cyclotomic extensions, as well as for generalized Lucas-Lehmer tests: 

Theorem 5. Let Af and K be a field of conductor s as described in Fact\3j in 
particular R = C(K)/(n • 0(K)) is a galois extension of N and with Gal(L/Q) = 
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< n mod s >. Suppose that 

(12) ]aeO(L) such that a n {a) = a n mod n ■ 0(h). 

t-i 

For all primes q\s, let (n* — l)/g = Ci(<?) ■ n % and suppose that 

i=0 

t-i 

(13) p(q) = Yl «(a Cl(9) )) modn-O(K) ueri/jes (/3(g) - 1) e R*. 

Let (3 = Ylq\ s m °d n ■ O(K) and cr oe i/ie automorphism induced by o~ n in R. 
TTien (R, a, 0) is a saturated s— th cyclotomic extension ofJ\f. 

Proof. Let = n*=o ( x ~ a (P))^ then ®( x ) € since cr„ generates 

Gal(K/Q). Furthermore ^(X)|$ S (X) by construction and thus (3 is a primitive 
s— th root of unity. The statement follows from (IV) of Theorem [2] Note that 
Af[f3(q)] are by construction saturated extensions, and thus M{(3\ is saturated too. 

□ 

Remark 5. In practical applications of Theorem^ n q. We show that there 
is a simple expansion of the shape (n* — l)/q — X)i=o c i(l) ' n% which makes the 
computation of (3(q) in f!3\) particularly efficient. Let n — a - q + b 7 with < b < q. 
Then 

t-i 

(n*-l)/g = ((n 1 - &*) + (6* - l))/g = (&' - l)/ g + a • £ • o\ 

4=0 

T/iis /eads to the equation: 
t-i 

(14) (n*-l)/q = c M-™\ with c {q) = (b t -1)/ q 

i=0 

and Ci(q) = a ■ b 1 , for i = 1, — 1. 

TVofe i/iai Cj(g) are noi necessarily < n, but Ci(q)/n is at most a small number. 
The regular shape of the coefficients is however very useful for the simultaneous 
computation of a" and a Ci ^ . Suppose that the cost for the application of one 
automorphism a n is c ■ ( multiplication in Rj - if no fast polynomial multiplication 
methods are used, then c = 1. The time needed for the evaluation of (3(q) using 
(TJ\ ) is bounded by 

2-(t- l)(logg + c+l) + logn. 

This method of evaluation is thus for t > (logq)/ log(n/g 2 • 4 C+1 ) more efficient 
than when defining [3(q) = 

Q ,(n t -i)/g ; and 

performing the direct exponentiation. 

If K is a field of degree p k defined by Fact O an s— th cyclotomic extension can 
be constructed by using Theorem [5j This is the Lucas - Lehmer approach to con- 
structing cyclotomic extensions. It is obvious that, when the degree of extensions 
is of importance and the order irrelevant, a minimal s will be chosen. 

Remark 6. The extensions constructed by the Lucas - Lehmer method are satu- 
rated. This approach is used in [2] for constructing galois fields. We shall also 
show that this has useful consequences for combining cyclotomic extensions. 
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3. Gauss and Jacobi sums over Cyclotomic Extensions of Rings 

Gauss Sums are character sums used in various contexts of mathematics. It will 
be important for us to note that Gauss sums are Lagrange resolvents encountered 
when solving the equation X s = 1 with radicals, over Q. Or, equivalently, when 
building the s— th cyclotomic field L s /Q by a succession of prime power galois 
extensions, see e.g. [17] . 

Let n,m > 1 be integers with m squarefree and let A(m) be the exponent of 
(Z/m • Z)*, where A is the Carmichael function. In this section, u — A(m) and / 
will be some divisor of u and we assume that (n, mu) — 1. Let A D J\f be a galois 
extension which contains two primitive roots of unity p of respective orders u, m. 
A multiplicative character \ '■ (Z/m • Z)* — > < £ > is a multiplicative group homo- 
morphism (Z/m • Z)* — > < £ >. We denote by (Z/m • Z) the set of multiplicative 
characters defined on (Z/m • Z)*; the set (Z/m • Z) builds a multiplicative group 
and the order of \ is the cardinality of the image Im(x). We shall also denote 
characters \ € (Z/m • Z) by characters modulo m. 

Let x € (Z/m • Z) and d be a divisor of m. If there is a character 

x ' iZ /(=.z)^<c> 

such that 

x{x) — x' i x mod (m/d)) for all x 6 (Z/m • Z) , 

then x is said to be induced by x'- A character x : (Z/m ■ Z)* — > < £ > is called 
primitive if it is induced by no character different from itself; in this case, m is called 
the conductor of x- Each character x is induced by a unique primitive character 
x' and the conductor of \ is defined to be equal to the conductor of the primitive 
character it is induced by. In particular, the principal character 1 : {1} — > < 1 > 
is primitive and has conductor 1. 

For x € (Z/m • Z) , we shall set for ease of notation 

x{x) = for (x,m) > 1. 
The Gauss-Sum of x with respect to x is the element of A given bjQ: 
(15) r(x) =- £ X(*)-P x - 

i£Z/(m-Z) 

The Gauss-Sum depends upon the choice of an element in < p > according to: 
(16>„(x) =- E xW'/'^f'W'TW, Vae(Z/m-Z)*. 

i6Z/(m.Z) 

Let 6 (Z/m • Z)* , -ff(^) = (Z/m • Z)* / < v mod m > and /i be a coset in H(v). 
The /i— th Gauss Period with respect to ^ is defined by: 

(17) % (p,i/) = ^ p^, VheH(v). 

Let -ff(^) = { x € (Z/m • Z) | x(^) = 1 }• H{v) is dual to H{y) in the sense that 
characters x € -ff(^) operate on cosets h £ H(v). Gauss-Sums and Gauss Periods 



We adopt Lang's sign definition for the character sums 
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are connected by: 

(18) r( X ) = - ]T xW-VhM 

heH(u) 

and 

(19) | H(v) | • 7] h (p,v) = - J2 VheH(v). 

Equation Ijl8|) follows by using x{ v ) — 1 an( f regrouping the summation order in 
(fl"5|) . Identity (fl9|) is a consequence of the following: 

Fact 4. J/ G is a subgroup of (Z/m • Z) and a; e (Z/m • Z) , i/ien 

f 0, BxeGAxf^l, 

(20) S (x) = = \ 

xeG [ | G |, otherwise. 

Proof. If 7^ 0, then s(x) ■ (1 — x{y)) = leads to the claimed result. □ 
If Xi x' G (Z/m ■ Z) are primitive, the Jacobi-Sum \') is defined by: 

(21) J(X,X') =- E X(x)-x'(l-x)- 

s£Z/(m-Z) 

Gauss and Jacobi-Sums factor with respect to the ideals • Z/(m • Z)) of 

Z/ (m • Z), where and this will allow us to restrict our attention to 

characters of prime conductor. The factorization is given by the following: 

Fact 5. Let \ £ (Z/m • Z) and m = 

Up\ m P V(P) - Then there are characters 
Xp € (Z/p v ( p > ■ Z) and Gauss-Sums t p (x p ) such that: 

(22) t( X ) = n T M- 

p\m 

Ifx'i x" G (Z/m-Z) , i/ien £/iere are characters x' p y Xp € (Z/p'"^ • Z) and 
Jacobi-Sums j p (x'piXp) such that: 

(23) J(X',X") = II Jp(^Xp)- 

Proof. The proof is an exercise in the use of the Chinese Remainder Theorem. □ 

If X is a primitive character, the absolute value of its Gauss-Sum is determined 
by: 

(24) Tf^Tlf 1 ) = x(-l)-m. 
Gauss and Jacobi-Sums are connected by: 

(25) j(x, x') ■ t(x ■ x!) = r(x) ■ t(x'), if X, x' an d x ' x! are primitive. 

Let the x be a character of conductor m and order /; the multiple Jacobi-Sums 
J v {x) arc defined by: 

Jl = 1 

(26) J u+ i = J v -j(x,x"), for i/ = 1,2,...,/ -2 

J/ = x(-l)-m-J/_i 
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It is easy to verify by induction that: 

(27) J„ = -f^-, fori/ = l,2,...,/ 1 

where the sum of the trivial character is set by definition to t(x^) — 1. The Chinese 
Remainder Theorem can be used for expressing the Gauss-Sum of a character x as 
a product of Gauss-Sums of characters of prime power orders. 

Remark 7. If m = q is a prime, v £ (Z/g • Z)* and i and / are smc/i f/iaf £ = 
ord^(^) and f = f(q)/t, then H{v) = (Z/g • Z)* / <v mod q > is a cyclic group 
isomorphic to {</*'* | i = 1,2,..., /}, where g is a generator of (Z/g • Z)*. W^ii/i /9 
a primitive q—th root of unity, the relations - can 6e rewritten explicitly 
as: 

t 

(28) ffcfai/) = £ for j = 1,2,..., f. 

8=1 
/ 

(29) r( X ) - E VjM-xtf'*), VxGiJM 1 . 

3=1 

/ 

(30) /•ffcfof) = X) X~ V J ') • tOc') /ori = l,2,...,/. 

3=1 

It follows from S30\) . that the Gauss-Sums t(x), X <= H^) 1 - are Lagrange re- 
solvents for the Gauss Periods r\j (p, v) . In this context, one can interpret H8\) as 
a generalization of Lagrange resolvents to abelian extensions. We shall see in the 
next chapter, that Gauss Periods generate intermediate extensions in cyclotomic 
fields. The Gauss-Sums can be used to calculate the periods and thus to generate 
intermediate cyclotomic fields. 

Gauss sums can be defined for primitive characters of prime power conductors; 
the properties arising in this context have been investigated in |23j but are not of 
interest in our present context. This explains the choice of s as being squarefree in 
the definitions above. 

In the case when n = r is a prime and A is a field of characteristic r, the action 
of the Frobenius upon Gauss sums induces some formulae which are specific for 
character sums over finite fields. Let \ be a primitive character of conductor m 
and order /; (,p £ A are primitive roots of unity, with respective orders / and m. 
We investigate the action of the automorphism <f> r : x i— > x r of A upon t(x) '■ 

X X 

By using (|16p we have: 

(31) r(x) r = X~ r (r)-r(x r l 
and iterating (|3Tj) we get: 

(32) r(xY k = x~ k - rk (r)-T(x rk ),fork>l. 
If r* = 1 mod /, then 

(33) rixf- 1 = X -\r). 
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The relations (I3ip and (I33p are central in primality testing. It will be important to 
have efficient computing methods for powers of Gauss and Jacobi sums, if they are 
to be used in practical algorithms. 

4. Further Criteria for Existence of Cyclotomic Extensions 

The condition (II) in Theorem [2] is central for primality proving and motivates 
the interest in proving the existence of cyclotomic extensions. One way of doing 
this is shown in Theorem [5] and it generalizes the classical Lucas - Lehmer tests. 
The condition (///) can be connected by relation (fT9|) to Gauss periods and sums. 

The resulting conditions indicate the direction for the Jacobi sum test. Before 
stating them, let us introduce some notations. Let n, s, t be like in Theorem [2] 
and £t,£ s € C be fixed; furthermore, we assume that there exists a saturated 
t— th cyclotomic extension R D J\f and ( e R is a primitive t— th root of unity. 
We shall write like previously (Z/s ■ Z) for the characters with image in R while 
(Z/s ■ Z) T = { x ■ (Z/s ■ Z)* ->< 6 >, with x multiplicative }. For a £ (Z/s ■ Z)* 
we let H(a) = (Z/s • Z)* / < a mod s > and 

H(a) = {x € (Z/s ■ Z) : X (a) = l} C (Z/s • Z) 

be its dual. The set H(a) T C (Z/s ■ Z) T is defined by analogy. Then, 
Theorem 6. The following statement is equivalent to (I) — (IV) of Theorem^' 

(V) If the Gauss sums t(x) are defined for x G (Z/s • Z) T with respect to £ s , 
then: 

X^H(n) 1 ' 3 a homomorphism $ : Z[£ t , t(x)] ~ > R- 

Proof. Suppose that (777) holds, thus a map r : A = O (<Q(£ s ) <n mod s> ) -> TV 
exists. In particular, it follows that the Gauss periods i]i l (^ s ,n) = X^eft £s w ^ tn 
/i e i/(n) are mapped to TV. Let J? be the lift of r with i?(^ t ) = ( e R. If r(x) 
are Gauss sums with respect to £ s and x € H(n) , then we gather from (jT5J) that 
(r(x)) £ R, which proves that (III) => (V). 

Suppose now that (V) holds and let B C Z[£ t ,£ s ] be the ring generated by £t 
and the Gauss sums r(x), X € H^)- 1 , while ft : B — > R is such that i?(r(x)) G R. 
Using (fT9|) we see that maps the Gauss periods r]h to R, and if a generates 
the Galois group of R/7V" acting on £, then $(%) are cr invariant, so G A/". 

Using reduction modulo primes r\n and arguments from the proof of Theorem [21 we 
deduce that r G< n mod s > and thus (V) => (II), which completes the proof. □ 

Note that since only characters x € H (n) 1 - are considered, the condition (V) is 
a slight improvement of the one used in the initial form of the Jacobi sum test [I] , 
and which involved all characters in (Z/s • Z) . 

Lemma 2. Letp,q be primes not dividing n, with p k \\ (q — 1) and (R, a, &e a 
saturated p— th cyclotomic extension ofAf. Let x *= (Z/q • Z) &e a character of 
order p k and a, (3 € R fee given &y: 

(34) a = Jpfc (x) and 

/3 = J^(x): where v — n mod p k . 
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Let I = [n/p k ] and suppose that 

(35) a 1 ■ (3 — r)~ n holds {or some rj £< C, >. 

Then r\ = xi n ) an d x( r ) = x{ n ) lp ■> Vr | n , with l p (r) defined in Lemma\^ 

Proof. Let R' = R[X]/($ ? (X)) and define ( g = X + $ g (X) G R' = R[X]/($ 9 (X)); 
one proves that R' is a galois extension of R and also of N '. We then define the 
Gauss sum r(x) with respect to £ g and claim that the identities on multiple Jacobi 
sums hold for this sum; this is a simple verification and is left to the reader. The 
actual identities are meaningful in the ring R, but we need R' for introducing the 
Gauss sums. By the definition of a, (3 and I, (|35[) is equivalent to 

(36) t(xT = r n ■ <t(t(x)). 
Raising (|36p to the power n repeatedly, we find: 

(37) T{ x f = rf^ ■ o-\t{ x )) Vz>1 
and, with i — p k ■ (p — 1) and N = ri 1 , 

(38) rixf- 1 = 1. 

If r | n is a prime and SRC R' a maximal ideal through r, then by ([8]) 

(39) t(xY = x(r)- r ■ (T( X r )) mod <R'. 

From the existence of the saturated p— th extension R we gather, by Fact [lj that 
there are two integers l p (r),u p (r) verifying ([5]). With these, we let m £ N be such 
that m = l p {r) mod p k and m ~ u p (r) mod (p — 1), so that o~ m (x) — X r an d 

(40) v p (r ~ n m ) = v p (n m ■ (r/n m - 1)) > v p (N - 1) 

We let i = m in (f37l) . use o" m (r(x)) = t{x t ) an( i divide by (f39|) . This is allowed, 
since r(x) ■ t(x _1 ) = ±q and (f/,n) = 1; the result is: 

(41) r(xT m - r = (xW-ry- m ) r mod«. 

Let u be the largest divisor of (N — 1) which is coprime to p. From (f55|) . (|40p and 
by raising (|41|) to the power u, we get: 

(42) 1 = (x(r) ■ V~ m Y' U modK. 

Now yO = x( r ) ' V~ m G R is a primitive root of unity of some order and such 
that p = 1 mod 1H. We claim that v = and p = 1; if this was not the case, then 



x p 



X-l 



and since p = 1 mod 5H, we should have a fortiori 

x=\ 

p" = mod y\ which contradicts (p, r) — 1. So p = 1 and thus %(r) = 77™ = jfr^i . 
This holds for all primes r \ n and, by multiplicativity, for all divisors r' \ n. In 
particular, since l p (n) = 1, it follows that r/ = x( n )- ^ 

Remark 8. The equivalent relations i35\) and 136\) are reminiscent of the identity 
(31]) holding in finite fields. The statement of the Lemma holds a fortiori when 
replacing &35]) by 



(43) a {ntp - 1)/pk = X ~ tp (n), with t p = ordpk(n), 

which is the analog of i33\) and is obtained by iteration of i36\) . Here a — J p k(x) 
like in the hypothesis above. 
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The Lemma [2] indicates the steps for proving the existence of s— th cyclotomic 
extensions with Jacobi sums. This is the corner stone of the Jacobi sum test: 

Corollary 1. Suppose that s is square-free, t = ord s (n) and R is a saturated t—th 
extension of M with ( e R, ^((C) — 0. We let (Z/s • Z) be the set of characters of 
conductor s with images in < ( >, the sets V, Q be given by f3|) and 

(44) C = | xp € (Z/s • Z) : p G Q, \ has conductor q and order p k | . 
Suppose that 

(45) r( Xp ) n - a e <x P (n)>, VpGQ. 
or, alternately, for all p E Q one has: 

n l P - 1 

(46) a p p =x P (n)~ tlD , with t p = ord p k(n) and a p = t(x p ) p • 
TTien an s— th cyclotomic extension of TV exists. 

Proof. Using Lemma [21 respectively (|4"5j) . we deduce from (|4"5j) or (14*51 that x( r ) — 
x{n lp ^) for all the characters x G (Z/s • Z) . Let L(r) = / p (r) modp fc for all 
p fc || t; then we have a fortiori x(^) = X (n L ^) for all x S (Z/s • Z) and by duality, 
r = mod s. This holds for all r\n which implies (//) and the fact that an 

s— th cyclotomic extension of J\f exists. □ 

The conditions for existence of s— th cyclotomic extensions, which are based on 
Gauss sums, require s to be squarefree. This is not the case for the Lucas - Lehmcr 
test in Theorem We wish to combine the information about extensions proved 
by the two methods. This happens to be quite easy, since the extensions proved 
by means of Theorem [5] are saturated and thus ([8|) holds by Lemma Q] We group 
these observations in 

Fact 6. Let (si,S2) = 1 with S2 squarefree, s = s\ ■ S2 and t{ — ord Si (n),z = 1,2, 
t = ord s (n). Suppose that (R, a, Q is a saturated t— th cyclotomic extension of M 
and ti | [R : Af] . Furthermore there is a (3 G R with 

$ sl (/3)=0, and [3 n — cr(/3), 

such that (R, f3, a) is saturated as a s±— th extension. If the conditions of Corollary 
[7] apply for s = s 2 , then an s— th cyclotomic extension of M exists. 

Furthermore, if Si are any coprime integers such that saturated s^— th cyclotomic 
extensions of M exist and s = \\ i Si, then a saturated s— th extension exists. 

Proof. Let r\n be a prime. The proof of Corollary Q] and the fact that the Si— th 
extension is saturated imply, by means of Lemma [1] that x( r ) = X {n L ^) for all 
characters x G (^/ s ' 2) with L(r) = l p (r) modp Vp< - t ^ and all p\t. The statement 
about combinations of saturated extensions is a direct consequence of Lemma[TJ □ 

5. Certification 

Certificates for primality proofs are data collected during the performance of 
the test of primality for a given number n. The certificate allows to perform a 
verification of the primality of n in (sensibly) less time than it took to collect the 
data. A recursive Pratt certificate [29] is the following: suppose that n — aF + 1 is 
a prime and n^iP? = F > ^/n, with (ft = p^ being prime powers. Furthermore, 
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suppose that bi G Z are such that $ qi (bi) = mod n, or bi = c ™ mod n, 
while (cl™ -1 )^ 1 — l,n) = 1 and c (™ _1 ^ ^>, = i m od n. A certificate C(n) is defined 
recursively by 

C(n) = {k:i = l,2,...,k} \J (Utr Cfa)) , 

with C(pi) being certificates for p;. If bi are computed by trial and error, using the 
Cj above, the time for building a certificate is larger than the one required for its 
verification. This example suggests a generalization to CPP. We may mention that 
it was believed until recently that certification was an advantage of ECPP and not 
achievable for CPP. It is not the case, as we show here. 

The relation (|46p shows that if Xp( n ) = 1 an d an s— th cyclotomic extension does 
exist, then not only t(x p ) G R as follows from (/V), but it also can be explicitely 
computed in R by means of the Theorem 21 This would provide for a certificate 
which can be verified by exponentiations with exponent p k in R; however the list C 
contains also characters which do not vanish at n. In such cases, one first modifies 
ol p accordingly before taking a p k — th root. 

The resulting criteria are given in 

Theorem 7. Let s be squarefree, t = ord s (n) and R = Af[Q be a saturated t—th 
cyclotomic extension. Let Q,V,C be defined in (£5]), J^| ) and suppose that for all 
p G Q there is a (3 P G R such that, fo^ t — t p — ord p fc (n) : 

k t P k k 

(47) pP = XpCn)^! • a p , with t = ord p k(n) and a p = t(x p ) p ■ 
Then an s— th cyclotomic extension of Af exists. 

Proof. If n is prime, then 

n'-l 

/ t-p k \ pfc 

t p k 

as a consequence of Q33p and the expression x P ( n ) " t_1 ' a P i s m this case a p — th 
power in R, as follows from TheoremUJ The existence of f} p is a necessary condition 
for primality and thus consistent with our purpose. 

Since R is saturated, S = R[X]/ (X 1 — £) is a t 2 — th cyclotomic extension and 
in particular galois with group of order t ■ ordt(n). We claim that S contains a 
primitive s— th root of unity lo upon which acts making (S,cj,i9) into an s— th 
cyclotomic extension in the sense of Remark G3 Our proof relays upon Theorem [6] 

We first prove an auxiliary fact about saturation. Let p G Q, let 

s P = x^r^ 

and u = kp(n) be the saturation exponent of p with respect to n. Then there is an 
integer < v < p u such that 

t v 

— = h m, with m G Z, 

n l — 1 p u 

and hence 

(48) S p x Xpin)^ G R and 5 p e S. 



'We supress here, for typographic reasons, writing out the explicite dependency on p. 
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Indeed, let t' = ord p (n) so that Vpln 1 — 1) = u and suppose nt t i_ 1 = mod Z. 
The assertion follows for p = (p k , q) with k < u; if k = u + j, then by the definition 
of saturation, t — ord p u+j (n) — pP ■ t' . Since 

n p3 ' t ' — 1 

r = 1 mod p u , 

pi (n 1 — 1) 

as shown by a short calculation, it follows that 

t t' 
n* - 1 

thus proving the claim. Note that 7 p = f3 p -S p is a solution of X p — a p — r (Xp) P ■ 
Let as usual £ t , £ s G C be fixed and ^ S H T (n) be a character of order p fc with 
image in < £ t >, satisfying ip(n) — 1 and let y G (Z/s • Z) be the image of V 
by : £t i— * £. We want to show that 9 can be extended to r(ip). This is done 

as follows: a{\) = (t(^)) p g Z[£ t ] so we can set a(x) = 9(a(ip)) 6 R and then 
^[£ti r W0] ^ -X]/(X" P —a(if})). The map 6* extends to r(-0) if we can show that 

k 

the equation T p = 6(a(x)) = ol(x) has a solution in R. Furthermore, if this holds 
for any p G Q, we conclude that for each tp € H T (n), the Gauss sum t(V0 maps to 
R and the claim then follows from (V). Now if i/j G H T (n) is a character of order 
m, it can be decomposed in a product of characters t/> = Hp fc ||m °f characters 
of prime power orders p fe ||m. The Gauss sum r(ip) — J(?/>) X n ? )|m T (^" 1 ) wnere 
we assumed that 9 (r("0 m )) € R and J(ip) is a product of Jacobi sums which also 
maps to R. 

Suppose that the prime decomposition of ,s is s = Yli=i <Zi an d define the fac- 
tor characters Xi( x ) = x( x mod qi); the decomposition formula (|22| implies that 
t(x) — rii=i T (Xi)- By definition of V, there are pairs pi = {p ki ,q{) € "P such 

that Xi = Xpi- Using ([16]), we have (r(x;)) = (A • ^) € R and $ = /3 Pi , etc. 
Note that we have to raise to the power p ki in the previous formula, in order to 
consider elements which are defined in R; an alternative solution would be a formal 
adjunction of an s— th root of unity to R. The hypothesis x( n ) = 1 an d relation 
(|gj)l imply that 

' d \ pU d / d \ p " d 

r{x) r = ( II> x II Xi(n) u+m * p " = I]> -XC")" -n^(«) mipU = ft" 

\i=l / i=l \i=l / i=l 



with m, = - ^ and /3 = FJ^Li ft ■X.W" 1 ' S R This shows that ?? (r(^)) € R 
as claimed, and completes the proof for odd p or p — 2 and n = 1 mod 4. If 
n = 3 mod 4 and p = 2, the saturation context is different. The proof uses an 
appropriate variant of (|48| and shall be skipped here. □ 



It is useful to note, that pT|) substantially accelerates the evaluation of (j46| . 
making it comparable to the one of (j45|) . As a consequence, computing a certificate 
requires no substantial additional work compared to the classical Jacobi sum test. 

5.1. Computation of Jacobi Sums and their Certification. We are interested 
in the computation of Jacobi sums j{XiX a )i where x = Xp IS a character of prime 
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conductor q and prime power order p \(q — 1). For these sums, the absolute value 
is 

(49) j(x,X a ) x j(x,X a ) = q- 

Since the conductor q of Jacobi sums in CPP has superpolynomial size, their 
computation is a critical step which deserves some attention. From the theoretical 
point of view, the recent random polynomial algorithm of Ajtai, Kumar and D. 
Sivakumar [4 for finding shortest vectors in lattices solves the concrete problem in 
polynomial, and in fact linear time and space. Indeed, as we detail below, Jacobi 
sums of characters of order P are shortest vectors in certain well rounded lattices, 
i.e. lattices with a base of vectors of equal length. In a lattice of dimension P, the 
algorithm [4] takes 0(2 P ) space and time, and since in the context of CPP, the size 
P = OQog^) (P), it follows that Jacobi sums can be computed in random linear 
time. 

In practice, the dimensions of lattices are quite small and in view both of con- 
stants and implementation complexity of the shortest vector algorithm, it is useful 
to discuss some simpler practical methods too. 

For moderate values of q, possibly q < 10 14 , the direct computation based on 
the definition (|2Tj) is adequate and fast. The bottleneck is the necessity to store a 
table of discrete logarithms modulo q. This can simply be avoided, by performing 
the computation of Gauss periods in C, then computing Gauss and Jacobi sums in 
C too; finally, from the conjugates of a Jacobi sum, one recovers its coefficients as 
an algebraic integer. The method is straightforward and was implemented in the 
Master Thesis [22]. 

For larger conductors, it is preferable to use methods of lattice reduction. These 
have been investigated in [IT] , [S3] , [32] and are based on the following observation. 
Let C Z be a prime ideal above q; note that the choice of p implies that 
q splits completely and £} has inertial degree one. Let G — Gal (<Q>(£ p *0/Q) an d 
I = 1\G] be the Stickelberger ideal. There is an element 

(so) e = J2 

(c,p) — l; 0<c<p k 

such that 

(j(x,x a )) = &°, 

for some a G G. The ideal £l e can be represented by a Z - base, being a free 
Z - module of rank ip(p k ). As such, it is a lattice and it follows from (|49j) that 
17 1 (j(X; X a )) € O 6 is a shortest vector of this lattice, with respect to the embed- 
ding (Gauss) norm || x || = E CT eG \ a ( x )? ■ 

This opens the road for applications of methods of lattice reduction. Without 
entering in details, which can be found in the references, we mention that lattice 
reduction allows use of large conductors, but the growth of the order - which 
controls the dimension of the lattice - is critical. Indeed, the problem of finding the 
shortest vector in a lattice of dimension d with initial base of vectors bounded by q 
has complexity O (d d ■ \og(q)° < ' 1) ) . In practice, due in part to the particularity that 
the lattices to consider (generated by Jacobi sums) have a basis of shortest vectors 
— they are well rounded - the computations are quite efficient, and shortest vectors 
are frequently found directly by LLL, for character orders up to at least P ~ 125 
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A more efficient LLL based approach which works for small class numbers of 
the cyclotomic field Q(Cp) follows the method used by Buhler and Koblitz in [TT] : 
Let £} C Q(Cp) be an ideal above the conductor q. If h is the class number, then 
find by LLL a generator of £l h and compute Jacobi sum powers x') h by use of 
Stickelberger elements. If the generator of £} h is found correctly by LLL, then this 
method uses only one LLL computation for a given conductor and order. 

Finally, the implementations of PARI for computing the structure of class and 
unit groups of number fields turned out to be very efficient in computing Jacobi 
sums too. The bottle neck there is the space requirement, since finding generators 
of principal ideals is based on building up all the information on class and unit 
groups. Here, we use the fact that multiple Jacobi sums have to be computed in 
the same field, so the field construction which is slower, happens only once. 

Since the computations in C and the LLL based method are not guaranteed to 
yield Jacobi sums - the first due to rounding errors, the second due to the shortest 
vector problem - it is therefor interesting that one can certify very easily that the 
value of a Jacobi sum is correct, using the very formulae displayed above. This 
comes both as a verification and as part of a ceritificate for ulterior verifications of 
a primality proof. More precisely, we have: 

Lemma 3. Letp=(p k ,q) with p k \(q—l) and p, q being primes. Let < a < p k be 
an integer and £ = £ p * £ C be fixed. If a £ Z[£], there is a deterministic algorithm 

which verifies whether a = j(x, X°) for some character \ G (Z/<? 1 Z) T °f conductor 
q and order p k . The verification is done in O (p 2k ■ log(q)) binary operations. 

Proof. A first condition which must be fulfilled by a Jacobi sum is the local p - adic 
norming condition j = ±1 mod (1 — £) 2 , see e.g. |16j . and this fixes the choice of a 
root of unity factor 0. Thus one starts by verifying that 

(51) a x a = q, and a = ±1 mod (1 — £) 2 , 

in 0(p k ■ log(g)) operations - note that the coefficients of a Jacobi sums have size 
~ yjq and thus a multiplication of two Jacobi sums has the complexity above. 

Since q = 1 mod p k there is a c S Z with Q p k (c) = mod q and thus £} — (£— c, </) 
is a prime ideal above q. Next one computes (3 — (£ — c) 6 £ Z[£] with 6 £ I defined 
by (p)0)) . This is done in 0(p 2k ■ log(g)) operations. Finally, one checks if there is a 
a £ G such that a{(3) = mod a. If yes, then a is a Jacobi sum and a = j(x, X a ) 
for some character of order p k and conductor q, otherwise the claim is false. □ 

6. Algorithms 

The previous sections provide the theoretical foundation for the CPP primality 
proving algorithms. These consist of three steps, which are partially interdependent. 
Like usual, we denote by n a number to be proved prime and Q,V,C are defined 
by and respectively. The main steps of the algorithms are the following: 

A. Work Extensions: Select two parameters s,t such that t — ord s (n) and 
build a saturated t—th extension R/A/" - e.g. by using the Lucas - Lehmer 
method of Theorem [S] 



3 The sign is always positive, if one adopts Lang's definition of Gauss sum, with a minus sign. 
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B. Parameters: Let s'|(n' — 1) be a totally factored partQ with (s, s') = 1, 
let si be the order of a saturated s'— th extension - thus s± = T~L'ic< q kq '^ 
and S = s ■ si. Verify S > \fn. An optimization cycle can lead back to 
A. At the end, optimal values of S, s, s' and t are chosen and the fixed 
conditions S > y/n and t — ord,s(n) hold. 

C. Test part: 

CI. Prove the existence of a saturated s'—th cyclotomic extension in R, 

by using the Theorem [5] This is the Lucas - Lehmer part of the test, 

and it can be void. 
C2. Build the sets V,C, with respect to the current value of s and verify 

([3"S"| for all characters \ £ C. This is the Jacobi sum part of the test. 
C2'. Alternately, if a certificate is required along with the test, after building 

the list C, one finds f3 p £ R verifying ([37]). 
C3. Perform the final trial division, verifying that ((T|) yields no nontrivial 

factors of n. 

Unless n has some special form, so that many prime factors of Ff, = n k — 1 are known 
for small k\t, the parameter s' is either set to 1 and thus neglected, or gained by 
investing some time in the factorization of the same ■ An important observation, 
which does not influence the asymptotic behavior of the algorithms but generates 
a useful speed up, consists of the fact that one can verify (|35[) simultaneously for a 
set of characters of mutually coprime orders. 

Definition 7. We define an amalgam as a subset A C Q such that {p(p) ■ p S A} 
are pairwise coprime. If p — (p k ,q) and t{p) = ord p k{n), then an amalgam A is 
rooted, if there is a po £ A such that t(p)\t(po) for all p £ A. 

The relevance of amalgams is provided by the following: 

Theorem 8. Let A be an amalgam, 

f = f(A) = n p fc (p). /' = rad / = n t = OTd /»> 

peA peA 

and (R, a, Q a saturated f— th cyclotomic extension of M, the roots {£ p : p — 
p(p), p £ A} C R being all saturated of orders p(p). For p £ A, let: 

(52) a(p) = J p k( p) (xp) and 

P{p) = Ju(p)(Xp)> where v(p) = n rem p k . 

Let n = f ■ I + v with < v < f and v = p k (p) ■ A(p) + v{p), for p £ A. Define a 
and (3 by 

(53) a = Yl "(p) //pfc(p) € R and 

peA 

& = n «(p) A(p) • p{p) e r - 

peA 

Suppose there is an n £ < Q > such that 

(54) a l -P = rf n 

Then x{p){ r ) = x{p)( n Y pi ' r K | n and p £ A. Furthermore T] — YipeA x(p)( n )- 



It is assumed that s' is built up from primes q'\s' such that the orders t(q') = ord,j/(n)|t are 
small 
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Proof. The proof is similar to the one of the Lemma O We shall describe the 
general ideas and refer the reader to [23] for the complete proof. One first adds 
formal g(p)— th roots of unity to R in order to define some Gauss sums which verify, 
by definition of a and (3 and (I54[) : 

(55) J] T(Xp) n = r)(p)- n -l[ t(o-(x p )). 

p 

Then one decomposes 77 in a product of p— th power roots of unity and raising (|55|) 
repeatedly to the n— th power, obtains: 

(56) J] T ^) nH = II V(p)- h - nh ■ v h {r(Xp))- Vft > 1. 

p p 

Inserting h = tf, one has: 

(57) n ^xpf'- 1 = 1- 

p 

Let r\n be a prime and 9K D (r) a maximal ideal. By analogous steps to the proof 
of Lemma [21 one eventually shows that: 

(58) n(^#r- im ° d *- 

i '* 

Since (ru, f) = 1, we get ]J p (^fj^j = 1- This product of roots of unity of coprimc 
order can only be 1 if all factors are 1 and thus: 

Xp(r) = VT- 

The rest of the statement follows by multiplicativity and using l p ( p ){n) = 1. □ 

7. Deterministic primality test 

The Corollary [1] Theorem [5] and the certification - theorem [7] are used as bases 
for an explicite primality test, which proceeds by providing a proof of existence of 
an s— th cyclotomic extension of Af for some s > y/n such that t = ord s (n) is small, 

de facto O (log(n) log < 3 > (n) ). 

In all cases, the existence of saturated p— th extensions is required for all p\t. 
Such an extension or a proof of compositeness for n can be gained in polynomial 
time, if one assumes the existence of some p - power non residues of small height 
[7] - existence which follows from the GRH. The versions of CPP based on this 
assumption are thus probabilistic Las Vegas algorithms; they shall be described 
with algorithmic details in a separate paper dealing with implementations. 

The use of GRH is in the case of CPP explicite, in the sense that the failure to 
find the required non residues in the expected range together with an a posteriori 
proof of primality for n, which can be gained with a variety of methods, would yield 
a counterexample to the generalized Ricmann hypothesis. 

It is however of a certain theoretical interest, that one can prove also a determin- 
istic version of the Jacobi sum test, one thus that does not relay upon the existence 
of saturated extensions. This version was proposed by Adleman, Pomerance and 
Rumely in [T| and adapted by Lenstra in his exposition |18j . Both sources present 
the deterministic algorithm as one which is independent of the Las Vegas variant of 
the Jacobi sum test, and are based on computation in excessively large extensions. 
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We give here an improved and simplified version, based on the ideas in [18]. Cer- 
tainly, the question about the interest for this variant after the AKS test [3] must 
be addressed. In fact, provided the highly improbable event occurs, that the Las 
Vegas version is not sufficient, then the deterministic version of CPP may still be 
more efficient than AKS for larger numbers; this is due both to asymptotic behavior 
and mostly to space requirements which are very high for AKS. We add the theory 
for the deterministic variant here, for the sake of completeness. 

Let thus, as usual, n be an integer to be tested for primality and s, t integers 
with t = ord s (n) and set 

P = { p\t : p is a prime such that p | or j~^ for some q\s and no saturated p— th 
extension of A/" is known } . 

Since the Jacobi sum method can be used for actually constructing p— th ex- 
tensions, it follows that in the cases of interest for the deterministic version, the 
valuation v p (n p ^ 1 — 1) > 1 for odd p or n = 1 mod 4 and v^in 1 — 1) > 3 otherwise. 

The deterministic test described in [18] generalizes the idea of the Rabin-Miller 
test. It gives an alternative version of ([8]) in the p-adic numbers Z p . This leads to 
proving that the divisors r\n also lay in some cycles generated by a number v mod t, 
which can be explicitly constructed: the structure of the criterium is similar to (II) 
in Theorem[2] replacing n by v. Since in general, v ^ n, the approach paradoxically 
suggests that no s— th cyclotomic extensions exist, according to Theorem [2] 

We consider in depth the case when p € P is odd or n = 1 mod 4. The saturation 
index is in these cases k p (n) = v p (n p_1 — l) and we shall assume that 

k p (n) = k + 1 > 1. 

For such p we let Q p — { p = ( p k ^ ,q) : q\s ; p k( - q ' ) \\ (q — 1) } and define k m — 
max p6 g p {fc(<7)}. With this we fix £ = £ p fc m and for I < k m we shall assume the 

compatibility conditions £ p i = C p <<!) ■ For a q\s let £ = £ g be a root of unity, 
II C G = Gal (Q(£ g )/Q) be the maximal p-group, H = G/Tl and r\ q = J2aeH 
We shall consider the rings 

R = Z[C]/(n-Z[C]) and Q = Z[C, ij,]/(n • Z[£ %]). 

Let p = (p k< - q \q) E Q p ; n^'") - 1 = u(q) .p"+ fe (?) with (u(q),p) = 1, and fix 
a character x — Xp '■ i^/Q ' ^)* ^< C >• We assume that 

(59) (r(x)) n = oj(x)- n e<(> 

where a a € Gal(Q(C)/Q) : C >-> C holds in Q; a fortiori, if AT = [Q(C,f) : Q], we 

have (r(x))^™ 7 € < C >• Let A„( X ) = t( X ) u(9) € Q and p = \ P lf ^ 18 odd . 

I 4 otherwise 

With this, we define 

(60) J x C 1 + pZ p = { a e 1 + pZ p : Atxf^" G < C > }, 

By ([59]) . we have n p_1 S J x and thus J x is a non empty subgroup of Ui = 1 + 
pZ p . The structure of C7i implies that J x = (1 +p J ) Z p for a given, yet to determine, 
positive integer j. By analogy to the Rabin-Miller test, we let dj = 1 + p % £ Z p , 
build the sequence 

Xi(q) = (Mx)) a '~ aa > , * = 0,1,..., fc(g) + k, 
and consider the following conditions: 
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Dl The halting condition xu q \+ K <E< C > holds. This is the condition ([59]) and 

is related to (|35|) . 
D2 For j(q) = min{i : Xi = 1}, Xj-i G< C >, if j > 0. 
D3 If 3 I > : xi tf:< (, > , then for the maximal such I, 

») = i; ft = i,2,... s p*w. 

The first two conditions are Rabin-Miller; by the third, the value of j(q) in the 
definition of J x is the one determined in D2. This provides the information that 
will be used for combining tests. 

We now show how this functions. Let p G Q p , consider a prime r\n and suppose 
r v ~ x ^ J x . Then, with j = j(p) given by D2, there is an m G Z* with 1 + = 
r (p-i)m anc j j.jjg re i a tion [521 implies: 

= T(x )r^- 1 ^-4 P - 1) - = x(r )-(p-l)m.^-«« mQd rR 

This contradicts condition D3 and thus: 

rP- 1 6J X = 

We shall define j p = max{j(p) : p £ Q p } and choose some q{p)\s such that q gives 
raise to the maximal value of j, so there is a p = (p v , q{p)) € <2 P with j(p) = j p . 
The condition D3 applied to this particular choice of p - which we shall also refer 
to as maximal pair p G Q p - implies: 

(61) rP' 1 = (1 + p>?y^ r \ V r | n, with some /UpO) € Z p . 

Of course, fn^ 1 ) * = (l+p 1+K ) z ". If j p = k + 1, then r^ 1 G ^ 1 j Z '' for all r|n 

and consequently, the condition (|8|) is fulfilled. A saturated p— th extension exists 
- albeit, could not be constructed by the trial and error method of Theorem [5l We 
deduce from (|6ip a condition which is similar to the one in Lemma [2] 

Lemma 4. Notations being like above, we assume that n = 1 mod 4 i/p = 2 e P. 
Suppose that the existence of fJ-p(r) in 161]) is proved by verifying D3 for a maximal 
P G Q p for all p G P and t/iat /or aZZ p = (p k ( q \q) G Qp, letting X — Xp '■ 
(1i/q ■ Z) — >■< C p >, t/ie condition \59\) is verified. Then there is a character: 

(62) x ■ J x C > with x(r) = y(r) V r\n. 
In particular, x(n) = x( n )- 

Proof. We may assume that J x — (a) Zp with a = (1 + p J ) and j < j p . Let us 
define -q £< ( > by the relation j]~ ua = \(x) a ~ aa £< C > an d fi x t ne character 
X ■ Jx ~ >< C > by x( a ) = If r \ n is a prime, by (f32|) . 

(r(x) M Y ~^ = xir)-^- 1 ^"' 1 modrR, 

while setting r p_1 = = a M , with the obvious definition of \J in dependence 

of (x p (r), yields 

Comparing the last two identities, we find: 

x ( r )-( P -i)^ p - 1 = rj-n'ur*-* mod rR _ 
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From (ur p ,p) = 1 and Lemma [2] we have 

X{rf- 1 = if' = X (af = X (a"') = X (r^ 1 ) . 

Since p — 1 € Z*, we also have xM = x( r ) an( i, by multiplicativity, x{n) = x(n), 
which completes the proof. □ 



Remark 9. It is of practical relevance, to note that all computations can in fact 
be performed in the rings R = Z[£]/ (nZ[£]), by using multiple Jacobi sums. This 
is clear for the verification of \59\). In order to determine the value of j in D2, 
one has to compute {T(x) ai ~ (7ai ) for a, = 1 +p% and this computation can also be 
completed in R, by definition of the multiple Jacobi sum J a (x)- 

Let us introduce the notation n 2 (p) — { q\s : 3 p — ( p k ( q \ q ) £ Q p } and 
7T2(P) = UpGP "^(p)- We have the following deterministic test variant: 

Corollary 2. Let the notations be like above and suppose that if 2 € P then n 
1 mod 4. Suppose that for all p ^ P and p £ Q with p — (p k , q), the relation i35\) 
holds and that the existence of the characters x * n Lemma I6'£l has been proved for 
Q-M X — Xpi P G Qp an d P ^ P ■ For all q\s, let v{q) be defined by 



x(v(q)) = 



X(n) ifq^TT 2 (P) 

+p j p) for allpe P with q £ n 2 (p), p = (p 3 ", q) £ Q. 



Let v € (Z/s • Z) be defined with the Chinese Remainder Theorem, by the congru- 
ences v = v{q) mod q for all q\s. Then all divisors r\n verify r £< v mod s >. 

Proof. Let r\n and Xp be a character, with p — (p k , q); Hp £" P, then Xpi v ) = Xp( n ) 
and x(r) = x( v ) lpt " r \ as a consequence of Corollary[T] If p £ {J peP Q p , then the 
proof of Lemma 2] implies that xi r ) — x( v )^ p ^ ■ By choosing 



in 



H P (r) modp Vp( -^ if p£P 
l p (r) mod p"pW otherwise, 



we find that x(^) = x(^) m f° r & H characters x £ (Z/s ■ Z) . By duality it follows 
that r = v m mod s as claimed. □ 



We shall sketch now the case p — 2 and n = 3 mod 4. As suggested by saturation, 
we consider here n 2 — 1 instead of n — 1 = ?i p_1 — 1 and note that Z* = 3 Z2 x 5 Z2 
is not cyclic any more. For all q, one defines like before the characters X — Xp an( i 
determines J x C Zj. If J x y^< n 2 >, then n is composite, while for the remaining 
cases one can define characters x an( i show eventually that an s— th cyclotomic 
extension of J\f exists. There are some technical obstructions [23] . resulting from 
the fact that in a first step, only x 2 is naturally defined and x having a power of 2, 
there is an ambiguity in its definition. The condition D3 has to be modified and the 
ambiguity is removed by considering ape (Z/s • Z) with p 2 = 1 and showing that 
the possible divisors r\n belong this time to the set {v k , pv k mod s : k = 1, 2, . . . , t}, 
with v defined like in the Corollary. We refer to [18], [23] for details. 
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8. ASYMPTOTICS AND RUN TIMES 

In this section we evaluate the asymptotic expected run - time of the cyclotomy 
test. We shall use, for ease of notation, the symbol V for the set of all rational 
primes. The following theorem is well-known in the context of primality tests [I], 

Theorem 9 (Prachar, Odlyzko, Pomerance). There exists an effectively computable 
positive constant c such that V n > e e , 3t > satisfying 

(63) t < (logn) clog <3)(") and f(tf = ( ]J qY > n. 

{gev,(g-i)\t} 

Heuristics indicate that the expected value of c > log(e)/ log(4) and the Theorem 
shows that one can choose, (t, s — f(t)) in the given range, and then the existence 
of an s— th cyclotomic extension can be proved in time polynomial in t. The claim 
follows from (II) of Theorem O More precisely, if the existence of an s— th cyclo- 
tomic extension is proved by (|35p . then this relation should be proved for all pairs 
P = (f j<z) <= Qi as defined in Corollary [T] The verification of (|35|) for one fixed 
p takes C?~ (p k ■ log(n) 2 ) binary operations - with the standard 0~ notation, in 
which factors that are polynomial in log(p), log( 2 ) [n) are neglected. We would wish 
to deduce some upper bounds on p k , q and jJQ using the above Theorem. From the 
prime number Theorem, if 1 < c is such that tt(X) < c ■ \ ^ X ) ^ or au > e e , we 
have the estimate 

n p f > xi/2 > 

pf<clog(X) 

for all X > e e , where pf are prime powers. Conversely, if g(X) = n p /< c -iog(X) P* 
and h(Y) = min{X : g(X) > Y 1 / 2 }, the estimate implies: 

(64) h(Y) < clog(y) and n(h(Y)) < c 2 r^Q-, V Y > 9. 

From this and q < t we deduce that d(s) < lo s(") where d(s) - the number of 

v / log( 2 ) (n) >. i 

factors of s — f(t) — is equal to the number of distinct primes q in the list of pairs Q. 
We shall assume here that it is possible to build t — Y[ p ><<b P k as the product of the 
first prime powers such that f(t) > ^/n. This is a hypothesis and not a consequence 
of Theorem [9] If this holds, it follows from (164)) that for p = (p k ,q) £ Q we have 
p k < c 2 log( 2 )(n). Altogether, 

(65) ftQ<c 3 log(n), p fe <c 2 .log (2) (n). 
We have the following 

Fact 7. Let n, s be coprime integers with n > s > ^/n squarefree. There is a 
probabilistic Las Vegas algorithm which requires 0~ (log(ro) 3 ) binary operations for 
proving the existence of an s— th cyclotomic extension. The algorithm generates 
a certificate for the existence of such extension and the certificate can be verified, 
together with the validity of the Jacobi sums, in 0~ (log(n) 2 ) binary operations. 

Proof. The proof follows directly from (|65[) and the description of the algorithm in 
Section 6. Building up the saturated working extensions for all primes p\t takes 
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C~ ((log(n) 2 ) operations and in the certificate generation phase, one has to perform 
an exponentiation with exponents 0(n) in extensions of small degree (0(log( 2 ) {n))), 
for each of p E Q: this leads to the claimed run time (log(n) x log(n) 2 ). The 
ccrtihcation requires merely exponents of size 0{logn-\{n)), which explains the ver- 
ification time, given the fact that certification of Jacobi sums is negligeable by 
Lemma [3] □ 

The operations using superpolynomial time in the CPP primality proofs are quite 
elementary: they are the computation of (2-jjQ) ~ log(n) multiple Jacobi sums and 
the test that n mod (n k rem s) ^ for k = 2, 3, . . . , t — 1. Both operations take 
0~(ilog(n)) binary operations, and only the final test is specific for n; the Jacobi 
sums can be reutilized for numerous test and it is conceivable to store large tables 
of precomputed sums. Although t and log(n) are of different orders of magnitude, 
we specified the explicite factor log(n) for obvious reasons: the exponent of log(n) 
in the upper bound for t diverges so slowly, that it is indicative to know by what 
polynomial factor t is multiplied. 

Remark 10. We only estimated the certificates for the existence ofs—th cyclotomic 
extensions. The existence of such an extension does not grant primality, and one 
still has to perform the final trial divisions {Ip, requiring a superpolynomial amount 
of operations, and for which we did not provide any possible certification. The 
interest of CPP certification would be thus rather theoretical, without a method to 
circumvent {!]] completely. 

Such a method is described in [26j . in connection with dual elliptic primes and a 
new algorithm which intimately combines CPP with ECPP. This combination yields 
a random cubic time primality test with certificates that can be verified in quadratic 
time, being thus the fastest general primality test up to date. Like the Atkin version 
of ECPP, the run time estimates are based on some heuristics. 
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